Is AES with random bitstring IND-CPA?

Buzz

10/4/23, 4:40 AM

Let $E:\{0,1\}^{128}\times\{0,1\}^{128}\to\{0,1\}^{128}$ be the AES encryption and $R\gets\{0,1\}^{128}$ uniform random bitstring. Would $E'(K,P):=R\mathbin\|E(K,P)\mathbin\|E(K,R\oplus P)$ be IND-CPA?

I am not sure about my opinion, but I think this would not be IND-CPA since $E$ is determistic and $R$ is used twice in $E'$, therefore showing some pattern.

Can someone explain if $E'$ can be IND-CPA?

0 + 0

aes

chosen-plaintext-attack

DannyNiu

10/4/23, 6:34 AM

Hint: R is used twice in E', but is it used twice across two separate invocations?

DannyNiu

10/4/23, 6:36 AM

2nd hint: Is R used in all places where P is involved?

fgrieu

10/4/23, 8:53 AM

Hint: is $E(K,P)$ IND-CPA? Proof? Adapt that proof for $E′(K,P)$.

kelalaka

10/4/23, 5:51 PM

Ill-defined question. Nobody needs $R$ and $E(K,R\oplus P)$ to decrypt! Assume that it is not. Can you show that $E$ is not $\text{Ind-CPA}$ assuming it was already..

Maarten Bodewes

10/5/23, 12:46 AM

Funny, you could see this as ECB and CBC over the plaintext.